[libxml2] Fix buffer over-read in xmlParseNCNameComplex
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix buffer over-read in xmlParseNCNameComplex
- Date: Mon, 8 Jan 2018 18:31:19 +0000 (UTC)
commit 132af1a0d1e949ea0a488c31689f83c1dde7df7d
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Mon Jan 8 18:48:01 2018 +0100
Fix buffer over-read in xmlParseNCNameComplex
Calling GROW can halt the parser if the buffer grows too large. This
will set the buffer to an empty string. Return immediately in this case,
otherwise the "current" pointer is advanced leading to a buffer over-read.
Found with OSS-Fuzz. See
https://oss-fuzz.com/testcase?key=6683819592646656
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5031
parser.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/parser.c b/parser.c
index a30dd18..afc4cb1 100644
--- a/parser.c
+++ b/parser.c
@@ -3370,9 +3370,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
*/
ctxt->input->cur -= l;
GROW;
- ctxt->input->cur += l;
if (ctxt->instate == XML_PARSER_EOF)
return(NULL);
+ ctxt->input->cur += l;
c = CUR_CHAR(l);
}
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]